Under the electronic health records (EHR) metric, The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) requires attestations from doctors that they are not knowingly and willfully limiting or restricting their EHR’s ability to share information with providers that may have different record systems. CMS has issued new guidance reminding providers of their responsibilities to promptly share medical information with patients and other clinicians, or else face financial penalties. The targets are providers participating in the Merit-based Incentive Payment System (MIPS) to comply with MACRA. The notice stated physicians will need to attest that they are not engaged in information blocking and that they give patients their data in a timely fashion. Many physicians and medical practices use vendors for their information management systems. They will now have to ensure their vendors enable them to comply with the information sharing mandates.

Under MIPS, providers become eligible for either bonus payments or penalties based on their performance, including evidence of quality improvement, cost reduction or maintaining current levels of spending; efficient use of EHRs; and clinical improvement activities such as later office hours and greater use of care coordination. The Prevention of Information Blocking Attestation has three related statements for MIPS eligible clinicians:

They did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of Certified EHR Technology (CEHRT).

They implemented technologies, standards, policies, practices, and agreements reasonably calculated to ensure the CEHRT was connected and compliance with applicable law and standards for timely access by patients to their data and other health care providers.

They responded in good faith and in a timely manner to request to retrieve or exchange EHR from patients and other health care providers.

CMS also stated that physicians would not be held accountable for things outside of their control, but must get adequate assurances from their vendors that they are able to comply with the information sharing requirements. On the other hand, physicians must take care that they don’t violate the HIPAA Privacy law for patient Protected Health Information (PHI).

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

Cases that OCR closes fall into five categories:

Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

Order of frequency of issues investigated

Impermissible uses and disclosures of protected health information;

Lack of safeguards of protected health information;

Lack of patient access to their protected health information;

Use or disclosure of more than the minimum necessary protected health information; and

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Foreign hackers and human error are two of the most significant threats to protected health information (PHI) and other health records that providers and health care entities must prepare for, according to four information technology experts speaking at a conference sponsored by Becker’s Hospital Review. They all agreed that breaches and cyberattacks will continue, so health care institutions must be diligent about security systems, audits, training, insurance, and adequately responding to breaches to mitigate punishment and quickly recovery from an attack..

Weakest link

Aaron Miri, chief information officer for Imprivita, and Michael Leonard, director at Commvault, both noted that regardless of the tools and systems put in place to ward off breaches, malware, ransomware, and other cybersecurity threats, people will always be the weakest link. Leonard noted that when it comes to an institution’s cybersecurity program, “people training has to be continuous and repetitive.”

Katherine Downing, senior director at the American Health Information Management Association (AHIMA), highlighted one type of “insider threat”—physicians who do work arounds that bypass the security features of electronic health record (EHR) systems (like texting PHI about patients to each other). Although David Miller, CEO of HCCIO Consulting, LLC, was blunter when asked what the biggest threat was to PHI and other health records—”Russia and China.”

Jurisdictions

Miri noted that providers must deal with a “wide disparity of laws” regarding the security and privacy of health information, not just federal and state laws, but, starting in May 2018, the General Data Protection Regulation (GDPR) issued by the European Union. The GDPR replaces a framework of different information security measures that mainly affected just European companies with a national network and information security strategy that will impact American life sciences and healthcare entities that collect and/or use any data concerning health, genetic data, or other types of protected health information (PHI).

Audits

Miller expressed amazement at how many health care institutions have not had a HIPAA audit in the previous two years. The HHS Office for Civil Rights (OCR) reviews organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules and looks for documentary proof that entities have conducted risk assessments and created and implemented policies and procedures governing areas including the shielding of PHI. Miller noted that providers must continually educate and re-educate staff on policies related to HIPAA. But he added that providers can also “take advantage of a breach situation to talk to senior management to increase security measures.”

Record retention

In addition to protecting PHI, health care entities have to make decisions about destroying records after record retention periods have ended. Katherine Downing, senior director at the American Health Information Management Association (AHIMA), noted that entities “can’t keep everything forever.” Downing noted that health care entities already have the expense of saving, backing up, and securing required health records; doing the same for older records that no longer have to be retained is just an added expense.

In the end, Miri noted that these are the questions that health care entities have to ask: What are they willing to spend to avoid a breach? What are they willing to risk regarding their reputations?

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics. Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations of an increasing number. She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance. At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017. She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance. They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in monetary penalties this year. Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

ensure that changes in systems are updated or patched for HIPAA security;

determine what safeguards are in place;

review OCR guidance on ransomware and cloud computing;

conduct accurate and through assessments of potential PHI vulnerabilities;

review for proliferation of electronic PHI (ePHI) within an organization;

verify that corrective action measures were taken and controls are being followed;

ensure when transmitting ePHI that the information is encrypted;

ensure explicit policies and procedures for all controls implemented; and

review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI. She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated. Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.